In March 2014, Le Monde journalists – Martin Untersinger and Jacques Follorou, released an article providing documents from the Communications Security Establishment Canada (CSEC) accusing France of cyber-attacks against Iran between November 2009 and 2010 including the Atomic Energy Organization of Iran (AEOI).
In July 2012, two years after the first discovery of Stuxnet, Meghan Kelly wrote for Venture Beat mentioning that an Iranian AEOI scientist sent an SOS e-mail to F-Secure Chief Research Officer Mikko Hypponen, saying the AEOI was under a cyber attack. In his email, the scientist explained the malware shutdown the AEOI their automation networks in Natanz and Fordo facilities. As a reminder, Stuxnet is believed to be a joint project between the U.S. and Israel as covered by David Sanger for the New York Times back in June, 2012.
In conclusion, those events provide additional context on the political alignment between the U.S. and France on the current talks over Iran.
Last week again, during his polemical intervention, Bibi raised his “concerns” on Iranian Nuclear capabilities and urged the congress to “act quickly” because “time is running out”. As Jon Stewart and the Intercept recently reminded us, Bibi made a strangely similar claim in front of congress 19 years ago. In addition of the Israeli concerns on the Iranian nuclear capabilities, adds the 2007 Israeli airstrike during the night of the 5th September targeting Syria’s Al Kibar Nuclear Reactor as covered by Erich Follath and Holger Stark for Der Spiegel in November 2009. This was also one of the first notable cyber-attack, as initially covered by David Fulghum for Aviation Week in November 2007 – that subscribes to the “War on Fear” Era. Pierre Razoux, Head of Research at NATO, provided a detailed analysis of the raid mentioning that the North Korean supplied nuclear components were part of the targets of the airstrike.
An airstrike where the U.S. denied any involvement:
There was no U.S. active engagement other than consulting on potential target vulnerabilities, says a U.S. electronic warfare specialist.
The recent discoveries of BABAR, EVILBUNNY and CASPER are currently putting French General Directorate for External Security (DGSE) in the spotlight of current nation state cyber-attackers due to the allegation from CSEC. Although, BABAR (allegedly French malware) and STUXNET (allegedly U.S.-Israeli malware) seem to share the same political goal, the motives behind CASPER, which had been discovered in April 2014 on the Syrian Judicial Private Investigation Commission website (jpic.gov.sy), still remain unclear.
This translates as three different alleged main actors who targeted Iran and Syria on nuclear matters since 2007, the third and most recent potential actor (France) is not so surprising if you remember the nature of the relationship between France and Iran was in late 2009. On 25 September 2009, David Sanger and William J. Broad wrote an article for the NYT explaining that the U.S. and France were “warning” Iran over “Nuclear Deception” where we can read the following:
President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands, and Mr. Brown said, “The international community has no choice today but to draw a line in the sand.”
WMI Query :: “SELECT * FROM AntiVirusProduct”
One of the technique shared across from BABAR, EVILBUNNY, and CASPER – as highlighted by Marion Marschalek and Paul Rascagneres – is the ability to to retrieve AntiVirus information by using the following WMI Query “SELECT * FROM AntiVirusProduct”. A very simplistic trick as you can see in the above screenshot, but which only publicly appeared during 2008. The first occurrence of the above WMI SQL Query is from May 2008 in a blogpost of a Microsoft employee, Alejandro Campos Magenci who first provided a proof of concept (POC) VB script – then a second occurrence appeared few months later on a French online forum called “Comment Ca Marche” (How Does It Work, an online collaborative website like StackOverflow) by user operating the nickname cs_omnia and authored by Hanteville Nicolas on the 12th September 2008. This time, the POC appeared as a C++ implementation – providing enough information on using the Win32 WMI APIs – making it the first public usable C++ implementation. If the authors are the French government as what the CSEC suggest, this suggest that the authors heard of this trick from this French collaborative forum.
Those recent events demonstrate the alignment between the Five Eyes, Israel and France regarding Iran, Syria and North Korea on the nuclear matters – and this goes without mentioning the rise of Daesh (ISIS) cells from Syria & Iraq in Europe.
Although, cyber-attack attribution is known to be difficult, controvertial and that there is still a possibility that CSEC attribution to the French government may be erroneous. But as @thegrugq, an Operation Security expert, would ironically say:
After extensive research of the most likely suspect, it turns out over 5 million Chinese speak French! There are 1.3Bn Chinese, so 5/1,300 malware samples are expected to be in French – The Grugq
|1996||First Bibi’s congress speech on the Iranian nuclear plan concerns.|
|6 Sept 2007||Israeli airstrike on Syrian Nuclear Plant (with nuclear components supplied by North Korea)|
|12 May 2008||Microsoft employee, Alejandro Campos Magencio, posted trick to retrieve antivirus using WMI on Microsoft MSDN blog|
|12 Sept 2008||French developer cs_omnia released published first public C++ implementation of WMI “SELECT * FROM AntiVirusProduct” trick, authored by Hanteville Nicolas, on “Comment ca marche”|
|Sept 2009||President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands|
|Nov 2009||Allegedly French malware BABAR (SNOWBALL) discovered by CSEC.|
|Nov 2009||The Story of ‘Operation Orchard': How Israel Destroyed Syria’s Al Kibar Nuclear Reactor by Der Spiegel|
|Mid-2010||Allegedly French malware SNOWMAN (Improved version of SNOWBALL) discovered by CSEC|
|2010-2011||STUXNET, DUQU, and FLAME – were all spotted in Iran and were mainly targeting Iranian Nuclear interests.|
|2011||CSEC internally issues SNOWGLOBE: From Discovery to Attribution report|
|25 Oct 2011||EVILBUNNY compile time as highlighted by Marion Marschalek|
|1 Jun 2012||an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called “Operation Olympic Games”, started under President George W. Bush and expanded under President Barack Obama.|
|24 Jul 2012||an article by Meghan Kelly from VentureBeat reported how the Atomic Energy Organization of Iran e-mailed F-Secure’s chief research officer Mikko Hyppönen to report a new instance of malware.|
|21 Mar 2014||Le Monde released initial partial documents on SNOWGLOBE|
|7th Apr 2014||CASPER XML configuration file timestamp|
|28 Apr 2014||Vyacheslav Zakorzhevsky (Kaspersky) observed that the website “jpic.gov.sy” was hosting two Flash zero-day exploit|
|2 Sept 2014||Syrian Judicial Private Investigation Commission website defaced by anti-Iranian hackers|
|17 Jan 2015||Der Spiegel release complete documents on SNOWGLOBE The Digital Arms Race: NSA Preps America for Future Battle|
|18 Feb 2015||Common patterns between EVILBUNNY and BABAR identified by Paul Rascagnere and Marion Marschalek|
|5 Mar 2015||Common patterns identified between BABAR, BUNNY and CASPER|
EDIT1 (7th April 2015):